1 / 21

How Twiggy Saved Sparky

How Twiggy Saved Sparky. Joseph Calandrino Matt Spear Malware Seminar – Fall 2004. Meet Twiggy. Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data. http://goatload.com/mt/. Meet Robbie.

colorado-alexander
Télécharger la présentation

How Twiggy Saved Sparky

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. How Twiggy Saved Sparky Joseph Calandrino Matt Spear Malware Seminar – Fall 2004

  2. Meet Twiggy Twiggy, while aware of the performance penalties, supports StackShield-like protection methods for critical data. http://goatload.com/mt/

  3. Meet Robbie http://www.mumi.org/metissages/fr/artificiel/artificiel.html http://www.dachshundalley.com/

  4. Robbie’s Setup walkAnimal(name) feedAnimal(name) petAnimal(name) call doAction(action, name)

  5. Evil Is Afoot If only I could modify the action for doAction… http://www.austinpowers.com/ http://www.rit.edu/~sli4356/

  6. More on Robbie petAnimal(name) name action doAction(action, name) Disclaimer: This is simplified

  7. Evil Is Afoot petAnimal(“SPARKYEA”)… Sparky is mine!!!

  8. More on Robbie petAnimal(name) name action doAction(action, name)

  9. Sparky Senses Danger petAnimal(name) name action doAction(action, name) http://www.svet-je-lep.com/gallery/slike/Twiggy/Zanimiv_morfing.jpg

  10. The Dreaded Double Pointer name action http://www.austinpowers.com/

  11. Evil Will Not Be Deterred name action

  12. Turn on the Twiggy-Signal http://www.erva.com/pics/ProductIdeal/SQUIRREL%201.jpg

  13. Twiggy to the Rescue Secret key = 32589Robbie needs to store this somewhere inaccessible to Dr. Evil… name action Modify Robbie’s code tomaintain hashes of all buffers: addr len hash Also stores data for name: http://kevintdriver.hopto.org/images/squirrel.ski.jpg

  14. Without Spoiling Your Day But Twiggy is a busy squirrel, so he enlists the aid of a source-to-source transformer. http://www.lemta.com/boatshows/midamerica/twiggy-history.shtml

  15. Stop That Modification! Check it before use: petAnimal(name) if(hash(_) != _) exit doAction(action, name)

  16. Dr. Evil Is Foiled Dr. Evil can’t effectively modify buffers without altering entries in the table… which are hashed using a secret key. http://www.cotbn.com/2002_12_01_archive.html

  17. But At What Cost? Hashes and checks can be computationally expensive Can Robbie feed Twiggy and Sparky on time? http://www.pets.info.vic.gov.au/02/sdd_dlang.htm http://www.nd.edu/~tdavidso/Mexico.htm

  18. The Statistics

  19. Reduce the Cost Do we need to check all buffers? What about only checking buffers used as inputs to dangerous methods? (That’s all the buffers in our example, but likely far fewer than in the program) Can Twiggy use call-graph analysis to find those buffers?

  20. Did It Work? • Basic defense method protects buffers from modification. • Aliasing ignored. • Can we track down critical buffer values? • We’re still working on that. • But, for Twiggy, yes (this is supposed to be a happy story)

  21. Happily Ever After By maintaining hashes of critical buffer values and verifying them before dangerous function calls, Twiggy efficiently prevents malicious modifications and moves on to new adventures. http://greywolf.critter.net/gallery/ironclawgallery-icsu04.htm

More Related